06-02-2022 12:36 AM
Hi everyone.
After upgrade cisco ASA version and ASDM version too, our login via LDAP does not working. Through local logins it is possible. We have got 2 Cisco ASA's in failover state. I reloaded both ASA's, restore old config, check configuration of AAA Server Groups. Command "debug ldap 255" did show failed communication on AD server with LDAPS port 636, but when I had tried TCP communication to IP address of AD server with 636 port via Ping tool from ASA, everything was fine. Does anybody know where is problem please?
Before upgrade LDAP did work.
Thanks
Solved! Go to Solution.
06-02-2022 02:18 AM
Yes it seems your issue hitting below bug as you are using LDAP over SSL ( ldap-over-ssl enable )
check your new ASA version must be meet this Bug..
If its meets you need to revert back or choose another version that fixed this issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190
Thanks,
Jitendra
06-02-2022 01:14 AM - edited 06-02-2022 01:30 AM
Can you please share the LDAP config here?
you are trying to authenticate LDAP with TLS ?
also share the old and new versions on ASA.
I am also not sure if issue meet with below bug..
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190
Thanks,
Jitendra
06-02-2022 01:57 AM
ldap attribute-map Group-Check-ASA
map-name memberOf IETF-Radius-Service-Type
map-value memberOf "CN=CiscoASA Admins,OU=Users,OU=FNTN,DC=fntn,DC=sk" 6
aaa-server LDAP_ASA protocol ldap
aaa-server LDAP_ASA (inside) host 172.30.60.200
server-port 636
ldap-base-dn DC=fntn,DC=sk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ***
ldap-login-dn CN=***,OU=Users,OU=FNTN,DC=fntn,DC=sk
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map Group-Check-ASA
aaa-server LDAP_ASA (inside) host 172.30.60.201
timeout 20
server-port 636
ldap-base-dn DC=fntn,DC=sk
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password ***
ldap-login-dn CN=***,OU=Users,OU=FNTN,DC=fntn,DC=sk
ldap-over-ssl enable
server-type microsoft
ldap-attribute-map Group-Check-ASA
user-identity default-domain LOCAL
aaa authentication http console LDAP_ASA LOCAL
aaa authentication ssh console LDAP_ASA LOCAL
aaa local authentication attempts max-fail 5
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
06-02-2022 02:00 AM - edited 06-02-2022 02:02 AM
what ASA version were you prior to upgrade? what version you running now?
seems like you hitting a bug CSCus71190
06-02-2022 02:14 AM
old version of ASA: 9-12-4-18
new version of ASA: 9-14-4-7
also old version of ASDM: 7-15(1)150
new ASDM: 7-17(1)152
06-02-2022 03:15 AM
I do not think you hitting this bug CSCus71190 as you already marked it answered. as cisco bug tool clearly mentioned this fix is fixed in version 9.5.1. In your case you were 9.12 it was working and you went to 9.14 and it stop working. Cisco relase notes 9.14 does not mentioned if this bug is return.
06-02-2022 04:58 AM
So I will check AD servers if they uses TLS 1.2.
06-02-2022 02:18 AM
Yes it seems your issue hitting below bug as you are using LDAP over SSL ( ldap-over-ssl enable )
check your new ASA version must be meet this Bug..
If its meets you need to revert back or choose another version that fixed this issue.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus71190
Thanks,
Jitendra
06-02-2022 02:26 AM
Thank you. This is correct answer.
06-02-2022 02:14 AM
Just SSL
old version of ASA: 9-12-4-18
new version of ASA: 9-14-4-7
also old version of ASDM: 7-15(1)150
new ASDM: 7-17(1)152
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide